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METHODS, SYSTEMS AND COMPUTER PROGRAM PRODUCTS FOR 
GENERATING USER-DEPENDENT RSA VALUES WITHOUT STORING 
SEEDS 

Related Applications 

The present application is related to commonly 
assigned United States Patent Application Serial No. 
09/324,418, entitled "METHODS , SYSTEMS AND COMPUTER 
5 PROGRAM PRODUCTS FOR GENERATING USER- DEPENDENT 

CRYPTOGRAPHIC KEYS," (Attorney Docket No. 5577-160) the 
disclosure of which is incorporated herein by reference 
as if set forth fully. The present application is also 
related to commonly assigned United States Patent 
10 Application Serial No. 09/324,308, entitled "METHODS, 
SYSTEMS AND COMPUTER PROGRAM PRODUCTS FOR GENERATING 
USER- DEPENDENT RSA KEYS," (Attorney Docket No. 5577- 
159) the disclosure of which is incorporated herein by 
reference as if set forth fully. 

15 

Field of the Invention 

The present invention relates to cryptography and 
more particularly to the generation of cryptographic 
key values for RSA asymmetric cryptosystems . 

20 

Background of the Invention 

Asymmetric (or public) key cryptosystems use two 
different keys that are not feasibly derivable from one 
another, one for encryption and another for decryption. 
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A person wishing to receive messages, generates a pair 
of corresponding encryption and decryption keys. The 
encryption key is made public, while the corresponding 
decryption key is kept secret. Anyone wishing to 
5 communicate with the receiver may encrypt a message 

using the receiver's public key. Only the receiver may 
decrypt the message, since only he has the private key. 
Asymmetric-key cryptosystems may also be used to 
provide for digital signatures, in which the sender 
10 encrypts a signature message using his private key. 
Because the signature message can only be decrypted 
with the sender's public key, the recipient can use the 
sender's public key to confirm that the signature 
message originated with the sender. One of the best- 
15 known asymmetric-key cryptosystems is the RSA, named 
for its originators Rivest, Shamir and Adleman. One 
version of RSA is defined by ANSI Standard X9. 31-1998. 

RSA is widely used in many cryptographic systems. 
RSA gets its security from the difficulty of factoring 
2 0 large prime numbers. The RSA public and private keys 
are derived from two randomly selected large prime 
numbers . 

The general way to derive the two RSA keys is as 
follows. First choose two random large prime numbers p 

25 and g. Compute W-pxg, which is referred to as the 

public modulus. Then randomly choose the public key e 
such that e and (p-l)x(g-l) are relatively prime. 
Finally, compute the private key d such that 
d=e -1 mod ( (p-1) x (g-1) ) - RSA encryption and decryption 

30 formulas are straightforward. To encrypt a message m, 
compute c=m e mod N, where c is the ciphertext . To 
decrypt c, compute m=c d mod N. 

It has been suggested that two users with 
different moduli might have a common prime factor in 

35 their moduli, either by accident or because of a poor 



design (design flaw) in the system. If N^p^q-^ and 
N 2 =p 2 *q 2 , where p 1 =p 2 , then it is easy to find p 1 or p 2 
given N x and N 2 , i.e., an efficient algorithm exists to 
find the common factor p 1 or p 2 given N r and N 2 . If such 
5 a common prime factor were to exist, and this fact were 
discovered, then it would also be an easy matter to 
factor each modulus into its prime factors. This, of 
course, would allow the private keys to be computed 
from the corresponding public keys, and hence for the 

10 security of the keys to be compromised. 

One of the drawbacks of the existing methods for 
RSA key generation is that six seed values may need to 
be stored in case an audit will be performed. These 
seeds will demonstrate that the primes were indeed 

15 generated at random and that the user was not trying to 
choose the primes with some peculiar properties. Such 
saving of seed values may result in a security exposure 
as the seed values could be illicitly obtained and used 
to generate the RSA key values. In commonly assigned 

20 United States Patent Application entitled "METHOD, 

SYSTEM AND APPARATUS FOR GENERATING SELF- VALIDATING 
PRIME NUMBERS" filed July 10, 1998, serial number 
09/114,024, the disclosure of which is incorporated 
herein by reference, a scheme was developed that 

25 incorporated the knowledge of the seeds into the primes 
themselves. Therefore, the seeds need not be stored in 
order to pass an audit. However, the generated primes 
were not necessarily unique and could not be associated 
with a particular user. 

30 In general, mechanisms for differentiating between 

users are known. For example, a particular individual 
can be identified or verified through a user identifier 
(such as a globally unique name) or biometric data 
(such as fingerprint, hand geometry, iris pattern, 
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facial features, voice characteristics, handwriting 
dynamics, earlobe characteristics, etc.). 

As is well known to those having skill in the art, 
biometric information is one or more behavioral and/or 
physiological characteristics of an individual. 
Biometric identification and/or verification uses a 
data processing system to enable automatic 
identification and/or verification of identity by 
computer assessment of a biometric characteristic. In 
biometric verification, biometric information is 
verified for a known individual. In biometric 
identification, biometric information for an individual 
is compared to known biometric information for many 
individuals in order to identify the individual. 

Biometric identification/verification systems, 
methods and computer program products can measure one 
or more of the following behavioral and/or 
physiological characteristics of an individual: 
fingerprint, hand geometry, iris pattern, facial 
features, voice characteristics, handwriting dynamics, 
earlobe characteristics and keystroke dynamics. Other 
biometric characteristics may be used. Applications 
using biometric technologies include biometric check 
cashing machines, payment systems that substitute 
biometric data for personal identification numbers, 
access control systems that use biometric data, 
biometric employee time and attendance recording and 
biometric passenger control for transportation. Many 
other applications may utilize biometric information 
for identification and/or verification. See the 
publications entitled "Biometrics , Is it a Viable 
Proposition for Identity Authentication and Access 
Control", to Kim, Computers & Security, Vol. 14, 1995, 
pp. 205-214; "A Robust Speaker Verification Biometric" , 
to George et al . , Proceedings, the IEEE 29 th 



International Carnahan Conference on Security 
Technology, Oct. 1995, pp. 41-46; "On Enabling Secure 
Applications Through Off-line Biometric 
Identification", to Davida et al . , Proceedings of the 
IEEE Computer Society Symposium on Research in Security 
and Privacy, 1998, pp. 148-157; and "Biometric 
Encryption: Information Privacy in a Networked World", 
to Brown et al . , EDI Forum: The Journal of Electronic 
Commerce, v. 10, No. 3, 1997, pp. 37-43. However, 
while biometric identification and user identification 
may allow for identification of users, these existing 
uses may not allow for authentication of the source of 
encryption keys. 

In the above cited Davida et al. publication, in 
Section 5.2, it was proposed that biometrics could be 
used with or as keys. However, Davida et al. assumes 
that the biometric information is secret information. 
Furthermore, Davida et al. may not work for any size 
key and describes a procedure which may not allow for 
pre-computing information for generation of a key 
value. Furthermore, the proposal of Davida et al. may 
allow two users to generate the same key values and, 
thus, does not assure that the generated keys are 
dis j oint . 

In light of the above discussion, a need exists 
for improvements in the generation of encryption keys 
for RSA cryptosystems so as to allow authentication of 
a user's generated values without requiring storage of 
the secret seed values. 

Summary of the Invention 

In view of the above discussion, it is an object 
of the present invention to provide cryptographic keys 
which may be authenticated. 



A further object of the present invention is to 
provide for the generation of cryptographic keys which 
may be audited to determine the user who generated the 
cryptographic keys. 
5 A further object of the present invention is to 

provide RSA keys which satisfy the requirements of the 
ANSI Standard X9. 31-1998. 

Yet another object of the present invention is to 
provide RSA keys which are disjoint for different 
10 users. 

These and other objects of the present invention 
may be provided by methods, systems and computer 
program products which generate an RSA cryptographic 
value utilizing user specific information (B) about a 

15 user, a first secret seed value (W p ) , a second secret 
seed value (W q ) and a thira, publicly known, 
randomization value (IV) having a first portion (IV p ) 
and a second portion (IV q ) . A potential range of RSA 
cryptographic values are divided into a first interval 

20 and a second interval and a first initial value (XX p ) is 
generated based on the first secret seed value (W p ) , the 
second secret seed value (W q ) and the first portion of 
the third randomization value (IV p ) . The first initial 
value is mapped to a user specific segment of the first 

25 interval utilizing the obtained user specific 

information (B) to provide a mapped first initial value 
(X p ) . A first user dependent RSA cryptographic value (p) 
is selected from the user specific segment of the first 
interval utilizing the mapped first initial value as a 

30 starting point for a search for the first user 

dependent RSA key value. A second initial value (XX q ) 
is generated based on the first user dependent RSA 
encryption value (p) , the second secret seed value (W q ) 
and the first portion of the third randomization value 

35 (IVg) . The second initial value is mapped to a user 



specific segment of the second interval utilizing the 
user specific information to provide a mapped second 
initial value (X q ) . A second user dependent RSA 
cryptographic value (q) is then generated from the user 
specific segment of the second interval utilizing the 
mapped second initial value as a starting point for a 
search for the second user dependent RSA cryptographic 
value . 

In a further embodiment of the present invention, 
auxiliary prime divisors corresponding to the first 
user dependent RSA key value (p) and the second user 
dependent RSA key value (q) are also generated based 
upon the first secret seed value (W p ) , the second secret 
seed value (W q ) and the third randomization value (IV) . 
In such a case, where p 0 is a publicly known prime 
number whose length is at least n bits (where p and q 
have a length of n bits) and g is a public generator, 
the auxiliary prime divisors may be generated by 
concatenating the first secret seed value (W p ) , the 
second secret seed value (W q ) and the third 
randomization value (IV) so as to provide an exponent 
value (X) . An initial random value is then generated 
by determining Y=g* (modp 0 ) so as to provide initial 
prime search values. The most significant bit of the 
initial prime search values is set to "1" to provide 
final prime search values. The auxiliary prime 
divisors are then selected as the smallest prime value 
greater than or equal to the final prime search values. 
Furthermore, a new first secret seed value (W p ) , a new 
second secret seed value (W q ) or a new third 
randomization value (IV) may be selected if the length 
of at least one of the prime divisors is greater than 
the length of the final prime search values. In such a 
case, the prime divisors are regenerated if the length 



of at least one of the prime divisors is greater than 
the length of the final prime search values. 

In a still further embodiment, the initial prime 
search values have a first length if a public 
encryption exponent (e) has an odd value and a second 
length if the public encryption exponent (e) has an 
even value. In particular, the first and second 
lengths are fixed, and preferably fixed so that the 
first length is 120 bits and the second length is 118 
bits. 

In further embodiments of the present invention, 
the user specific segments comprise the segments 

[A+(B(C-A) ) /2 b , A+( (B+l) (C-A) ) /2 b ] wherein A and C are 
the endpoints of the respective intervals and the user 
specific information comprises b bits. In particular, 
where the RSA cryptographic values comprise n bits, the 

first interval may comprise RSA cryptographic values 

from the set of [^2 (2 n ~ 1 ) , 2 n ~ 1 +2 n ~ 3/2 ] and the second 
interval may comprise RSA cryptographic values from the 
set of [2 n ~ 1 +2 n ' 3/2 , 2 n ] . Also, where the binary size of 

the RSA values are 2n and a size m is n-b-2 , then the 
mapping may be achieved by linearly mapping the first 
initial value to a user specific segment of the first 
interval utilizing the obtained user specific 
information (B) utilizing the linear mapping function 

G (x) =4 (1-— )x+/22 n - 1 +4 (1-— ) (B-l)2 m ~ 1 . The mapped 

first initial value (X p ) is then selected as the largest 
integer value which is not greater than the first 
initial value (XX p ) mapped utilizing the mapping function 
G, u . Similarly, the second initial value may be 



linearly mapped to a user specific segment of the 
second interval utilizing the obtained user specific 
information (B) by utilizing the linear mapping 

function G 2i0 {x) =4 (1--| ) x + 2"" 1 + 2 n " 3/2 +4 ) (B-l)2 ra " 1 . 

5 The mapped second initial value (X q ) is the selected as 
the largest integer value which is not greater than the 
second initial value (XX q ) mapped utilizing the mapping 
function G 2iU - 

In a particular embodiment of the present 
10 invention, the user specific information is biometric 

information. The user specific information may also be 
a globally unique user identification. 

In another embodiment of the present invention, if 
a candidate for p is considered outside the range of 
15 RSA cryptographic values in the user specific segment 
of the first interval then at least one of a new first 
secret seed value (W p ) , a new second secret seed value 
(W q ) or a new third randomization value (IV) is 
selected. If a candidate for q is considered outside 
20 the range of RSA key values in the user specific 

segment of the second interval then at least one of a 
new first secret seed value (W p ) , a new second secret 
seed value (W q ) or a new third randomization value (IV) 
is also selected. In either case, the value generation 
25 is restarted. Similarly, if 2 16 -1 candidates for p have 
been rejected in selecting the first user dependent RSA 
cryptographic value or if 2 16 -1 candidates for q have 
been rejected in selecting the second user dependent 
RSA cryptographic value, then at least one of a new 
30 first secret seed value (W p ) , a new second secret seed 
value (W q ) or a new third randomization value (IV) is 
selected and value generation restarted. 



RSW9-99-055 



-9- 



In one embodiment of the present invention, the 
first initial value is generated by mixing the 
concatenation of W q and IV q utilizing a publicly known 
mixing function, concatenating W p and IV p and 
5 EXCLUSIVE-ORing the mixed concatenation of W q and IV q 
and the concatenation W p and IV P to provide the first 
initial value (XX P ) . The second initial value is 
generated by EXCLUSIVE ORing p and IV p , mixing the 
EXCLUSIVE OR of p and IV p utilizing the publicly known 
10 mixing function, concatenating W q and IV q and EXCLUSIVE- 
ORing the mixed EXCLUSIVE OR of p and IV P and the 
concatenation W q and IV q to provide the second initial 
value (XX q ) . 

Furthermore, the generated RSA cryptographic 
15 values p and q may subsequently be authenticated based 
on the cryptographic values themselves. Such 
authentication may be accomplished by recovering two 
candidate prime values utilizing the RSA public modulus 
(n) and the private signature exponent (d) and 
20 establishing a first of the two prime values as a first 
candidate key value (p') and the second of the two 
prime values as a second candidate key value (q'). 
First and second candidate seed values W p ' and W q ' are 
recovered from the first and second candidate key 
25 values p' and q' and from the third publicly known seed 
value IV. First and second RSA key values p' ' and q' ' 
are then generated utilizing W p ' and W q ' and IV and 
compared with p' and q' to authenticate the 
cryptographic values. The recovered p' and q' may also 
30 be determined to not be authentic if p' and q r are 

values outside the user defined segments of the first 
and second intervals. The first of the two prime 
numbers is a smaller of the two prime numbers. 
In a particular embodiment of the present 
35 invention, the first and second candidate seed values 
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W p ' and W q ' are recovered from the first and second 
candidate key values p' and q' and from the third 
publicly known seed value IV by inverse mapping the 
second candidate value q' to provide a first initial 
5 value S q . The first candidate key value p' and IV p are 
EXCLUSIVE ORed, and the EXCLUSIVE OR of the first 
candidate key value p 1 and IV p mixed with the publicly 
known mixing function. The mixed EXCLUSIVE OR of the 
first candidate key value p' and IV p is EXCLUSIVE ORed 
10 with IV q to provide a first known value having a length 
(j). It is then determined if the value corresponding 
to the j least significant bits of S q are less than the 
first known value. The n-j most significant bits of 
the mixed concatenation of the first candidate key 
15 value p' and IV P is EXCLUSIVE ORed with the n-j most 

significant bits of S q if the value corresponding to the 
j least significant bits of the S q is less than the 
first known value to provide the second candidate seed 
value or with 1 subtracted from the value corresponding 
20 to the n-j most significant bits of S q if the value 
corresponding to the j least significant bits of the 
first subsequent value are not less than the first 
known value to provide the second candidate seed value. 
The first candidate value p' is also inverse mapped to 
25 provide a second initial value S p . The second candidate 
seed value is concatenated with IV q and mixed with the 
publicly known mixing function. The mixed 
concatenation of the second candidate seed value and IV q 
is EXCLUSIVE ORed with IV p to provide a second known 
30 value having a length (j). It is then determined if 

the value corresponding to the j least significant bits 
of S p are less than the second known value and the n-j 
most significant bits of the mixed concatenation of the 
second candidate seed value and IV q are EXCLUSIVE ORed 
35 with the n-j most significant bits of S p if the value 



corresponding to the j least significant bits of S p are 
less than the second known value to provide the first 
candidate seed value and with 1 subtracted from the 
value corresponding to the n-j most significant bits of 
5 S p if the value corresponding to the j least significant 
bits of S p are not less than the second known value to 
provide the first candidate seed value. 

By mapping a user specific range of values onto 
the potential range of prime values, the present 
10 invention can guarantee that different users will 

select prime values from different ranges. Thus, the 
range of prime values from which an RSA prime is 
selected may be used to authenticate and audit the 
prime after generation. If a prime is not from the 
15 user specific range mapped onto the range of potential 
prime values, then the key value was not from the user 
corresponding to the user specific information. 

As will further be appreciated by those of skill 
in the art, the present invention may be embodied as 
20 methods, apparatus /systems and/or computer program 
products . 

Brief Description of the Drawings 

Figure 1 is diagram of a data processing system 
25 that can be used with the present inventions- 
Figure 2 is a detailed view of a data processing 

system that can be used with the present inventions- 
Figure 3 is a flowchart illustrating operations 

for user specific encryption according to an embodiment 
30 of the present inventions- 
Figure 4 is a flowchart illustrating 

authentication/auditing of an encrypted message 

according to one embodiment of the present invention; 
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Figure 5 is diagram illustrating the division of 
the key space and the assignment of user specific 
subspaces for an RSA encryption technique according to 
the present invention; 
5 Figure 6 is a flowchart illustrating operations 

according to one embodiment of the present invention 
for generating auxiliary prime values; 

Figure 7 is a flowchart illustrating operations 
according to one embodiment of the present invention 
10 for generating prime values p and q for use in RSA 
encryption; and 

Figure 8 is a flow chart illustration operations 
for recovering secret seed values from p and q values 
for an encoded message. 

15 

Detailed Description of the Invention 

The present invention now will be described more 
fully hereinafter with reference to the accompanying 
drawings, in which preferred embodiments of the 

20 invention are shown. This invention may, however, be 
embodied in many different forms and should not be 
construed as limited to the embodiments set forth 
herein; rather, these embodiments are provided so that 
this disclosure will be thorough and complete, and will 

25 fully convey the scope of the invention to those 
skilled in the art. Like numbers refer to like 
elements throughout. 

The present invention can be embodied as systems, 
methods, or a computer program products for generating 

30 a user-dependent RSA cryptographic primes and keys 

which are unique. Furthermore, the present invention 
may also provide for verification of encrypted data 
without requiring a user to store the secret seed 
values which may expose the seed values to being 
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discovered. As will be appreciated by those of skill 
in the art, the present invention can take the form of 
an entirely hardware embodiment, an entirely software 
(including firmware, resident software, micro-code, 
5 etc.) embodiment, or an embodiment containing both 
software and hardware aspects. Furthermore, the 
present invention can take the form of a computer 
program product on a computer-usable or computer- 
readable storage medium having computer-usable or 

10 computer-readable program code means embodied in the 
medium for use by or in connection with an instruction 
execution system. In the context of this document, a 
computer-usable or computer-readable medium can be any 
means that can contain, store, communicate, propagate, 

15 or transport the program for use by or in connection 
with the instruction execution system, apparatus, or 
device . 

The computer-usable or computer-readable medium 
can be, for example but not limited to, an electronic, 

20 magnetic, optical, electromagnetic, infrared, or 

semiconductor system, apparatus, device, or propagation 
medium. More specific examples (a nonexhaust ive list) 
of the computer-readable medium would include the 
following: an electrical connection having one or more 

25 wires, a portable computer diskette, a random access 
memory (RAM) , a read-only memory (ROM) , an erasable 
programmable read-only memory (EPROM or Flash memory) , 
an optical fiber, and a portable compact disc read-only 
memory (CD-ROM) . Note that the computer-usable or 

30 computer-readable medium could even be paper or another 
suitable medium upon which the program is printed, as 
the program can be electronically captured, via, for 
instance, optical scanning of the paper or other 
medium, then compiled, interpreted, or otherwise 
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processed in a suitable manner if necessary, and then 
stored in a computer memory. 

Referring now to Figure 1, an exemplary embodiment 
of a computer system 30 in accordance with the present 
5 invention typically includes input devices 32, such as 
a keyboard or keypad 31, a microphone 42 and/or 
preferably, a biometric information input device 35. 
The computer system 30 also preferably includes a 
display 34 and a memory 36 that communicate with a 
10 processor 38. The computer system 30 may further 

include a speaker 44 and an I/O data port(s) 46 that 
also communicate with the processor 38. The I/O data 
ports 46 can be used to transfer information between 
the computer system 30 and another computer system or a 
15 network (e.g., the Internet). Figure 1 also 

illustrates that computer system 30 may include a 
storage device 40 which communicates with memory 36 and 
processor 38. Such a storage device may be any type of 
data storage device as described above. These 
20 components are included in many conventional computer 
systems (e.g., desktop, laptop, or handheld computers) 
and their functionality is generally known to those 
skilled in the art. 

Furthermore, while the present invention is 
25 described with respect to the computer system 30, as 
will be appreciated by those of skill in the art, the 
present invention may be incorporated into many other 
devices where RSA cryptographic primes and/or keys are 
generated and/or authenticated and, thus, may comprise 
30 an embedded function in many other devices. Thus, the 
present invention should not be construed as limited to 
use in computer systems such as illustrated in Figure 1 
but may be incorporated in any device having sufficient 
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processing capabilities to carry out the operations 
described below. 

Figure 2 is a more detailed block diagram of the 
computer system 30 that illustrates one application of 
5 the teachings of the present invention. The processor 
38 communicates with the memory 36 via an address/data 
bus 48. The processor 38 can be any commercially 
available or custom microprocessor or other processing 
system capable of carrying out the operations of the 
10 present invention. The memory 36 is representative of 
the overall hierarchy of memory devices containing the 
software and data used to implement the functionality 
of the computer system 30. The memory 36 can include, 
but is not limited to, the following types of devices: 
15 cache, ROM, PROM, EPROM, EEPROM, flash, SRAM, and DRAM. 

As shown in Figure 2, the memory 36 may hold four 
major categories of software and data used in the 
computer system 30: the operating system 52; the 
application programs 54; the input/output (I/O) device 
20 drivers 58; and the data 56. The I/O device drivers 58 
typically include software routines accessed through 
the operating system 52 by the application programs 54 
to communicate with devices such as the input devices 
32, the display 34, the speaker 44, the microphone 42, 
25 the I/O data port(s) 46, and certain memory 36 

components. The application programs 54 comprise the 
programs that implement the various features of the 
computer system 30 and preferably include at least one 
application module or object for RSA key generation 
30 and/or authentication 60 which carries out the 

operations of the present invention as described below. 
Finally, the data 56 represents the static and dynamic 
data used by the application programs 54, operating 
system 52, I/O device drivers 58, and any other 



software program that may reside in the memory 36. As 
illustrated in Figure 2, the data 56 preferably 
includes a secret seed value 70 and biometric or other 
user specific data 72. However, as will be appreciated 
5 by those of skill in the art, the secret seed values 
need not be maintained in memory. Furthermore, the 
biometric or user specific data may be publicly known. 
Additional intermediate data (not shown) may also be 
stored in memory. Furthermore, while the present 
10 invention is described as an application executing on 
computer system 30, as will be appreciated by those of 
skill in the art, the present invention may be 
implemented in any number of manners, including 
incorporation in operating system 52 or in an I/O 
15 device driver 58. 

The present invention will now be described with 
respect to Figures 3, 4 and Figures 6 through 8. 
Figures 3, 4 and 6 through 8 are flowchart 
illustrations of embodiments of the present invention. 
20 It will be understood that each block of the flowchart 
illustrations and/or block diagrams, and combinations 
of blocks in the flowchart illustrations and/or block 
diagrams, can be implemented by computer program 
instructions. These program instructions may be 
25 provided to a processor to produce a machine, such that 
the instructions which execute on the processor create 
means for implementing the functions specified in the 
flowchart or block diagram block or blocks. The 
computer program instructions may be executed by a 
30 processor to cause a series of operational steps to be 
performed by the processor to produce a computer 
implemented process such that the instructions which 
execute on the processor provide steps for implementing 
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the functions specified in the flowchart or block 
diagram block or blocks. 

Accordingly, blocks of the block diagrams and/or 
flowchart illustrations support combinations of means 
for performing the specified functions, combinations of 
steps for performing the specified functions and 
program instruction means for performing the specified 
functions. It will also be understood that each block 
of the block diagrams and/or flowchart illustrations, 
and combinations of blocks in the block diagrams and/or 
flowchart illustrations, can be implemented by special 
purpose hardware-based systems which perform the 
specified functions or steps, or combinations of 
special purpose hardware and computer instructions. 

The present invention provides for generating and 
authenticating RSA cryptographic primes and/or keys 
using user specific information such as users' user 
identification (userlD) data as well as users' 
biometric data. While userlD data and biometric data 
are fundamentally different, the two data types have 
characteristics in common which may be exploited in 
providing user-dependent cryptographic primes and/or 
keys. For example, some of the differences in userlD 
and biometric data can be identified as follows: 

1) A userlD is assigned to a user, whereas 
biometric data is obtained or derived from 
the user. Generally speaking, a user's 
userlD is an independent variable, whereas a 
user's biometric data is a dependent 
variable . 

2) A user's userlD can be changed. A user's 
biometric data cannot be changed. At most, a 
user can attempt to switch from one biometric 
to another biometric (e.g., fingerprint to 
hand geometry) . 



3) Generally, the set or space of user 
identifiers may be dense, making it feasible 
to enumerate the set of user identifiers. 
Generally, the space of user biometric data 
is not dense, making it infeasible to 
enumerate the biometric data for each user. 

4) Biometric data can be used to authenticate a 
user while userlD data cannot be used to 
authenticate a user. 

5) A userlD is a constant. User biometric data 
is not constant. 

However, the similarities in userlD and biometric 
data which may be utilized to provide user-dependent 
cryptographic keys can be identified as follows: 

1) A userlD is different for each user and 
biometric data is generally different for 
each user. Note that, in some cases, it may 
happen that the biometric data for one user 
overlaps (in whole or in part) with another 
user. The degree to which this may occur can 
depend on a combination of the biometric 
method being employed and the sensitivity of 
the biometric reader devices being employed. 

2) A userlD data is non-secret data. Biometric 
data should be considered as non-secret data, 
although in some vendor proprietary systems 
user biometric data is encrypted (i.e., 
protected) . Since there is no practical way 
to prevent the capture of user biometric data 
outside the biometric system, it is false to 
assume that the secrecy of user biometric 
data can be maintained over time. 

3) Biometric data, like userlD data, can be used 
to identify users. In fact, in some sense, 
biometric data offers a better mechanism for 
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user identification, since biometric data 
provides a mechanism of positive 
identification, whereas userlD data, until 
verified via a separate authentication 
protocol, is only representative of a claimed 
identity. 

One potential advantage to using biometric data as 
the user specific information is that with biometric 
data, there is potentially an easy mechanism for the 
user to prove their identity, especially if the user 
carries their biometric certificate on a portable token 
(e.g., smart card). With a userlD, the presumed or 
claimed identity of the user is known, however, the 
user to whom the key or cryptographic variable belongs 
will not necessarily have an easy means to prove that 
they are that user. A user will not always carry 
sufficient credentials to prove their identity (e.g., 
birth certificate or passport) . 

The present invention provides for RSA encryption 
which may comply with the ANSI standards. The public 
RSA key N that needs to be generated for RSA encryption 
may have a binary length of 2n. The prime numbers p 
and q whose product is N must be within the range 

J2 (2 n ~ 1 ) <p r q<2 n . User-specific information, denoted 

by B, can be encoded in b bits of data and these data 
are different from one user to another. When the user- 
specific data is biometric information, either the 
"biometric sample" taken in real-time or the pre- 
computed reference "biometric template" of a user may 
be utilized. In either case it is assumed that the 
biometric data is constant. Biometric data need not be 
secret. It is further preferred that the b bits allows 



for expressing any fuzziness included in the biometric 
data, if biometrics are used as the user-specific data. 

The ANSI standard requires that the primes p and g 
satisfy the following properties: 

1. p-1 has a prime divisor, p 17 whose binary 
length is between 100 and 120 bits. 

2. p+1 has a prime divisor, p 2 , whose binary 
length is between 100 and 120 bits. 

3. g-1 has a prime divisor, q lr whose binary 
length is between 100 and 120 bits. 

4. g+1 has a prime divisor, q 2 , whose binary 
length is between 100 and 120 bits. 

5. |p-q|>2- 100 . 

6. Both (p-l)/2 and (g-l)/2 must be mutually 
prime with the RSA public exponent e. 

7. If the RSA public exponent e is even then it 
is required that p=3(mod8)and g=7(mod8). 

The present invention can satisfy each of these 
criteria, thus, allowing compliance with the ANSI RSA 
standard. 

While p lr p 2 , g x and g 2 are each to be between 100 
and 120 bits in length, the present invention sets 
these values which aids in recovering the seed values 
from later derived p and g values. In the present 
example, these values are each exactly 120 bits long if 
e is odd and exactly 118 bits long when e is even. The 
reason for choosing the slightly shorter primes when e 
is even is that in this case the primes p and g are 
selected from a sequence of numbers that differ from 
each other by 8p!p 2 or ^q^q 2r rather than by PiP 2 or q x q 2 
in the case of an odd e. It is necessary to know what 
the maximum size of the step in the search procedure 
for p and g and this is one way to accomplish it. 



Figure 3 illustrates an embodiment of the present 
invention which can guarantee that two different users 
will generate different cryptographic values and which 
incorporates information about the secret seed values 
used in the encryption which allows for authentication 
of the cryptographic values without resort to stored 
secret seed values. As seen in Figure 3, the user 
specific information, such as biometric information or 
a user identification, is obtained (block 300) . The 
user-specific data B may be a binary string of length 
b. Also obtained are secret seed values W p and W q and a 
public randomization value IV (block 302) . The secret 
seed values need not be obtained from a stored location 
but may be generated at the time of encryption. In the 
present description, the value of n-b-2 will be denoted 
as m. Both W p and W Q are secret values, each has the 
length of m-256 bits. The IV parameter may be non- 
secret. It is used for the randomization of the entire 
prime generation process, so that even the same user 
starting with the same pair of secret values W p and W q 
will generate different primes when the IV parameter is 
altered. This IV value is represented as a 
concatenation of two binary strings, IV=IV p \\ IV q , where 
the length of each of IV p and IV q is 32 bytes (256 bits) 
and the length of IV is therefore 64 bytes. 

As is further illustrated in Figure 3, after 
obtaining the input parameters for the encryption 
process, the auxiliary primes p lr p 2 , q x and q 2 are 
generated from the secret seed values W p and W q and the 
public randomization value IV (block 304) . The 
potential key space for p and q is then divided into 
two equal intervals I I and I 2 (block 306) . An initial 
start value is then generated for the search for p from 
W W , IV , IV„ (block 308). This initial start value 



XX p for p is then mapped into a user specific one of the 
2 b segments of the first of the intervals J x utilizing a 
linear mapping function G 1/D (block 310) . The user 
specific one of the 2 b segments of I 1 into which the 
5 initial start value XX p is mapped is based on the user 
specific information such that the segments 
corresponding to different user specific information 
are disjoint. Furthermore, note that each of the 2 b 
segments contain cryptographic values having n bits. 
10 The user-dependent cryptographic value for p is then 
selected utilizing conventional RSA prime search 
procedures, however, the value for p is selected from 
the subspace selected by the user specific information 
utilizing the mapped initial start value to start the 
15 search for p (block 312) . 

After generation of the prime p, the prime q is 
generated. An initial start value is generated for the 
search for q from p, W q , IV p and IV Q (block 314) . This 
initial start value XX q for q is then mapped into a user 
20 specific one of the 2 b segments of the second of the 
intervals I 2 utilizing a linear mapping function G 2tU 
(block 316) . The user specific one of the 2 b segments 
of J 2 into which the initial start value XX q is mapped 
is based on the user specific information such that the 
25 segments corresponding to different user specific 
information are disjoint. The user-dependent 
cryptographic value for q is then selected utilizing 
conventional RSA prime search procedures, however, the 
value for q is selected from the subspace selected by 
30 the user specific information utilizing the mapped 

initial start value to start the search for q (block 
318) . 

Operations for authentication of crytpgraphic 
values generated utilizing the operations of Figure 3 
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are illustrated in Figure 4. As is seen in Figure 4, 
the authentication of the encrypted values does not 
require the secret seed values W p and W q as inputs and, 
therefore, does not require storing of more secret 
information than is conventionally done in RSA 
operations. The prime number authentication procedure 
uses only the RSA private signature exponent d, which 
has to be stored to perform the RSA signature and/or 
encryption operations, and the readily-available public 
information: the user-specific parameter B, the RSA 
public modulus N and the public verification exponent 
e. Thus, the present invention provides for the 
ability to authenticate encrypted information without 
increasing the exposure to compromise of the encryption 
process by the storage of additional secret values. 

Turning to the operations of Figure 4, the public 
exponent e, private exponent d and the public modulus N 
are obtained (block 400) and p and q are extracted from 
this information (block 402) . The recovery of p and q 
from this information may be accomplished by 
conventional techniques known to those of skill in the 
art. One such technique is described in Section 8.2.2 
of A. Menezes, P.C. Van Oorschot, and S. Vanstone, 
Handbook of Applied Cryptography, CRC Press, 1997. The 
smaller of the two recovered values is a p value and 
the larger one is a q value. This assumption must made 
because of the relative relationship of p and q based 
on the relationship of the first and second intervals. 
As will be appreciated by those of skill in the art, 
this relationship may be reversed or otherwise modified 
however it must be predefined. 

After recovering p and q from the encrypted 
information, it is determined if p and q are from the 
segments of the intervals J x and J 2 which correspond to 



the user specific information B (block 403) . If p or q 
are not from the corresponding user specific segments, 
then they are not authentic and the authentication 
process fails (block 410) . However, if p and q are 
5 from the proper segments, then W p and W q are recovered 
from p and q and IV (block 404) . Having recovered W p 
and W q , then the operations of Figure 3 are performed to 
regenerate potential primes p' and q' (block 406) . If 
p' and g' are equal to p and q (block 408) then the 
10 encrypted information is authentic and has passed 
authentication (block 412) . If the values are not 
equal then the authentication process has failed (block 
410) . 

Figures 6 through 8 provide further details on 

15 specific aspects of the encryption and authentication 
processes illustrated in Figures 3 and 4 and will be 
described with reference to Figure 5 which is an 
illustration of the mapping operations of the present 
invention to provide user-dependent RSA primes from the 

20 interval of potential primes for an n bit prime. 

Figure 6 illustrates in more details the 
operations of blocks 304 of Figure 3. As seen in 
Figure 6, operations for generating the auxiliary prime 
values are illustrated although there may be many ways 

25 to generate the auxiliary prime factors p lf p 2 , q 1 and 
q 2 . The choice of a particular approach is not that 
critical since these primes will not be used in 
regeneration of random seeds during the authentication 
process. The method of generating p lr p 2 , 3i and q 2 

30 should, however, guarantee a reasonable level of 
secrecy and randomness among the numbers that it 
produces . 

The auxiliary primes may be generated by 
concatenating W p , W q and IV to provide a 2m bit integer 



X (block 500) . As seen in block 502, the 2m bit 
integer is then used with a publicly known prime number 
p 0 whose length is at least n bits and a public 
generator g generate Y as Y^g* ( mo dp 0 ) . The length of 
5 the auxiliary primes k is then determined based on 
whether e is even or odd (block 504) . The length k is 
set to 120 bits if e is odd (block 506), or 118 bits if 
e is even (block 508) . The 4k least significant bits 
of Y may then be selected such that 

10 Y={. . . | | Y pl \ I Y p2 \ | Y gl \ I Y&) (block 510) . The most 

significant bit in each of these values is set to "1" 
(block 512) with the resulting four values being 
designated X plr X p2f X ql and X q2 , respectively. The prime 
number p 2 is the smallest prime greater than or equal to 

15 X pl (block 514) . Values for p 2 , q x and q 2 are similarly 
determined from X p2r X ql and X q2 (block 514) . It is then 
determined if the length of any of p x , p 2 , g 2 or q 2 is 
greater than k (block 516) . If so, then the process 
aborts and starts again with one or more new randomly 

20 generated seeds W pr W qr IV (block 518) . 

Figure 7 illustrates in further detail the 
operations of blocks 308 through 318 of Figure 3. The 
operations of Figure 7 begins after the potential 
encryption value space has been divided in the two 

25 intervals I x and I 2 as illustrated in Figure 5. As is 

seen in Figure 5, the interval 1= [/2 (2 n_1 ) , 2 n ] is 

divided into two intervals of equal lengths: 

I 1 =[ v ^(2 n " 1 ) ,2 n " 1 +2 n - 3/2 ] and I 2 = [2"^ +2 n ~ 3/2 , 2 n ] . 

For every user, the prime p will be selected from the 
30 interval I 1 and the prime q from the interval I 2 

utilizing the operations illustrated in Figure 7. 
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As is seen in Figure 7, W q and IV q are concatenated 
and the concatenated value mixed (block 600) utilizing 
a public mixing function. For example, the 1 to 1 
mixing function described in Matyas, M. , Peyravian, M., 
5 Roginsky, A., and Zunic, N . , "Reversible data mixing 
procedure for efficient public-key encryption, " 
Computers & Security Vol. 17, No. 3, (265-272) 1998, 
which can be applied to any arbitrary n-bit input may 
be utilized. W p and IV p are also concatenated (block 

10 602) and the results XORed with the results of the 

mixing (block 604) to provide the initial start point 
XX p in the interval d a illustrated in Figure 5. Thus, 
XX p = (W p \ | IVp) ®F{W q \ 1 IV q ) where F is the publicly known 
mixing function. If XX p is a 1 followed by m-1 zeroes, 

15 then the process aborts and starts again with the new W p 
and W q values. 

XX p is then linearly mapped to a user specific 
segment of the first interval J x utilizing a linear 
mapping function based on the user specific information 

20 (block 608) . This mapping is accomplished by the 
interval I I described above being divided into 2 b 
disjoint intervals equal in length. For user U with 
the user-specific parameter B, the corresponding 



25 A and C are the endpoints of interval I lr i.e., 

A=/2(2"~ 1 ) and C=2 i, " 1 +2 D_3/2 . The addition "B+l" is the 
bit addition (mod 2 b ) . The length of h uu is 

2 n "- b_1 (l-— ) , which is approximately equal to 1.17x2 m " 
y/2 
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Thus, a linear function G ltU may be defined that 
maps the [2 m ~'- r 2 m ) interval d v that contains all integers 
of binary length m into h lrU . The precise formula for 
G liU is as follows: 



S, Ax) =4 (1- — )x+ x /22 n " 1 + 4 ) (B-l) 2 in " 1 . 

y/2 y/2 



The start point X p for the search for p may then be 
determined by taking the largest integer smaller than 

10 the mapped XX p value (block 608) . In other words, 

lG lrU {XX p }] where [y] and |_yj are the ceiling and the floor 
of y, respectively, i.e., [4 . 2>5 and [4 . 2j =4. A value 
for p is then generated by evaluating up to 2 16 -1=65,535 
candidates for p utilizing the starting point X p as the 

15 start for the search (block 610). If more than 

2 16 -1=65,535 candidates were rejected in selecting p 
(block 614) , then the process aborts and starts again 
with one or more new randomly generated seeds W p , W qr IV 
(blocks 630 and 632) . As described below, this 

20 limitation on the number of candidates which may be 
rejected in arriving at p, places bounds on the 
distance in the segment h li0 that p may be from X p which 
facilitates the recover of W p from p. If a p value was 
selected, it is then determined if the selected p is 

25 within the segment h lrU associated with the user 

specific information (block 614) . If p is not within 
the segment h liUr then the process aborts and starts 
again with one or more new randomly generated seeds W p , 
W q , IV (blocks 630 and 632) . 

30 Having established a value for p, the generation 

of a value for q begins by XORing p with IV p and then 
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utilizing the public mixing function F to mix the 
result (block 616) . The concatenation of W q and IV q is 
then XORed with the results of the mixing (block 618) 
to provide the initial start point XX q in the interval 
5 d a illustrated in Figure 5. Thus, XX = ( W a \ | IV q ) ®F(p®IV p ) 
where F is the publicly known mixing function. 
Furthermore, the XOR of two numbers that might be of a 
different length means that both numbers are right- 
justified and the XOR is taken of the least significant 

10 bits while the most significant bits are taken directly 
from the longer number. If XX g is a 1 followed by m-1 
zeroes, then the process aborts and starts again with 
the new W p and W q values. 

XX q is then linearly mapped to a user specific 

15 segment of the first interval J 2 utilizing a linear 

mapping function based on the user specific information 
(block 620) . This mapping maybe accomplished by the 
interval J 2 described above being divided into 2 b 
disjoint intervals egual in length. For user U with 

20 the user-specific parameter B, the corresponding 

interval wxll be h 2/U =[A+ — b ,A+- -] , where 

A and C are the endpoints of interval I 2 , i.e., 
A=2 n ~ 1 +2 n ~ 3/2 and C=2 n . The length of h 2iU is the same as 
that of h lrU . 

25 Thus, a linear function G 2rU may be defined that 

maps the [2 m ~ 1 ,2 m ) interval d a that contains all integers 
of binary length m into h 2iU . The precise formula for 
G 2rU is as follows: 

G 9 Jx) -4 (1- — )x+2 n " 1 +2 n " 3/2 + 4 (1-— ) (B-l)2 ffl " 1 . 
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The start point X q for the search for q may then be 
determined by taking the largest integer smaller than 
the mapped XX q value (block 622) . In other words, 
X q =\_G 2rU {XX q ) j. A value for q is then selected based 
5 utilizing the starting point X q and evaluating up to 
2 16 -1=65,535 candidates for q (block 624). If more than 
2 16 -1=65,535 candidates were rejected in selecting q 
(block 626) , then the process aborts and starts again 
with one or more new randomly generated seeds W p , W q , IV 

10 (blocks 630 and 632). If less than 65 , 535 . candidates 
were rejected in selecting q, then it is determined if 
the selected q is within the segment h 2rU associated 
with the user specific information (block 628) . If g is 
not within the segment h 2rUf then the process aborts and 

15 starts again with one or more new randomly generated 
seeds W p , W q , IV (blocks 630 and 632) . If g is within 
the segment h 2rU , , then the process of generating p and 
q is complete. The above described prime generation 
operations provides primes which automatically satisfy 

20 the condition | p-q\ <2 n ~ 100 as required in the ANSI 

standard through the selection of the intervals 1^ and 
l 2 - 

Thus, the present invention can provide RSA primes 
which are based on user specific information. These 

25 primes may then be further used to generate user- 
dependent RSA key values. Furthermore, because the 
intervals d 0 for users are disjoint, the resulting RSA 
primes will also be disjoint. By making the prime 
generation process dependent on user-specific data, 

30 such as a userlD or biometric data, one has the ability 
to later prove that a generated prime and/or key 
belongs to a particular user. In this regard, the 
present invention can provide a means to "brand" a key 
or prime so that its rightful user can be determined. 



RSW9-99-055 



-30- 



This branding feature may ensure that a user can prove 
that a key or prime is one belonging to, or generated 
in, their designated space of keys or primes and that a 
user cannot deny that a key or prime is one belonging 
5 to, or generated in, their designated space of keys or 
primes . 

The operations of block 404 of Figure 4 for the 

recovery of the seed values W p and W q will now be 
described in further detail with reference to Figure 8. 

10 As is seen in Figure 8, recovery begins by inverse 

mapping the q value from the user specific segment to 
the interval d u (block 700) . The next highest integer 
value from the mapped value is then selected as an 
initial value S q (block 702) . Thus, Sq may be expressed 

15 as S g =[y], where y=G 2rU ~ 1 {q) . S q may be represented as 

D q * I \E q , where the length of E q is j (i.e. 256) bits and 
the length of D q * is n-j (i.e. n-256) bits. From the 
definition of XX q , XX q may be represented as M q \ \ N q , 
where M q is an unknown (at this stage of the prime 

20 recovery) quantity and N q is a known j (i.e. 256-bit- 
long) string equal to IV q ®F (ps>IV p ) . N q is determined by 
XORing IV q with the mix of p XORed with IV p to provide a 
value of j bits in length (block 704) . 

Then, it is determined if the least significant j 

25 bits of S q (i.e. E q ) are greater than or equal to N q 
(block 706) . If Eg> N q then the first n-j bits of S q 
are used as D q (i.e. D q =D q ' ) (block 708). If the least 
significant j bits of S q are less than N q (block 706) 
then 1 is subtracted from value corresponding to the 

30 first n-j bits of S q and this value used as D g (i.e. 

D q =D q * -1) (block 710). This value of D q is the same as 
the n-j most significant bits of XX q . W q is then 
recovered by determining W q = D g ©(the n-j (i.e. 256) most 
significant bits of F{p®IV p ) ) (block 712) . 



To establish that the above procedure leads to the 
correct value of W qr it is first noted that 0 < XX q - 
Gz^iXq) < 1 r therefore XX q =[y], where y=G 2r ^ (X q ) . Now, 
0<[G 2tU ' 1 (q)y\G 2iU - 1 (X <? )1<G 2<C T 1 (g) -G 2rU ~ 1 (X q ) +1 = 

5 1 

i— (g-X g )+l<l 256 . 

4(1-—) 

Hence 0<S <7 -XX g <2 256 . This justifies the establishing of 
D q as either D q or D g '-1. This determination is based 
on the fact that g-X q <2 256 This inequality holds since g 
is obtained by taking no more than 2 16 -1 steps of size 

10 g x g 2 or 8g x g 2 up from a number that is smaller than 

X q +2 240 as described above. The steps are shorter than 
2 240 by our choice of q x and q 2 . 

Having established a value for W q , the p value is 
then inverse mapped from the user specific segment to 

15 the interval d a (block 714) . The next highest integer 
value from the mapped value is then selected as an 
initial value S p (block 716) . Thus, S p may be expressed 
as S p =fy], where y=G lrU ' 1 (p) . S p may be represented as 
D p ' | | E p , where the length of E p is j (i.e. 256) bits and 

20 the length of D p ' is n-j (i.e. n-256) bits. From the 
definition of XX pr XX p may be represented as M p \ \ N pe 
where M p is an unknown (at this stage of the prime 
recovery) quantity and N p is a known j (i.e. 256-bit- 
long) string equal to IV p ®F( W q || IV q ) . Thus, after 

25 inverse mapping p and taking the ceiling, N p is 

determined by XORing IV p with the mix of W q concatenated 
with IV q to provide a value of j bits in length (block 
718) . 

Then, it is determined if the least significant j 
30 bits of S p (i.e. E p ) are greater than or equal to N p 
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{block 720) . If Ep> N p then the first n-j bits of S p 
are used as D p (i.e. D p =D p ' ) (block 708). If the least 
significant j bits of S p are less than N p (block 706) 
then 1 is subtracted from the first n-j bits of S p and 
5 this value used as D p (i.e. D p =D p ' -1) (block 724). This 
value of D p is the same as the n-j most significant bits 
of XX p . W p is then recovered by determining W p = D p ® ( the 
n-j (i.e. 256) most significant bits of F{W q \\IV q )) 
(block 726) . 

10 To establish that the above procedure leads to the 

correct value of W p , it is first noted that 0 < XX p - 
Gj^-^Xp) < 1, therefore XX p =\y\, where y=G lr ^ (X p ) . Now, 
O^G^a 1 (pH-R^cT 1 [X^G^v 1 (p) -G ua ^ (X p ) +1 = 

— (p-X p ) +K1 256 . 

4 (1-—) 



15 Hence 0<S p -XX p <2 256 . This inequality holds since p is 

obtained by taking no more than 2 16 -1 steps of size p x p 2 
or 8p!p 2 up from a number that is smaller than X p +2 240 as 
described above. The steps are shorter than 2 240 by our 
choice of p x and p 2 . The final determination of W p may 

20 then be directly determined from the definition of XX p . 

The present invention has also been described with 
reference to the use of user specific information. 
User specific information could be a userlD or, 
biometric information or a combination of the two. In 

25 this regard, the present invention provides a means to 
"brand" a key, prime or other cryptographic value so 
that its rightful user can be determined. Those 
skilled in the art will recognize that such branding is 
not limited to only users, but could be used to brand a 

30 key, prime or other cryptographic value with 

information specific to and associated with an entity 



where the entity is other than a human user (i.e. 
entity specific information) . For example, the user 
specific information could be used to brand information 
with a company identifier (companylD) , thus enabling 
5 one to show that the branded value belongs to a 

specific company. Whereas a biometric is associated 
with a specific user, an identifier could be associated 
with a user, group, organization, company, etc., and 
therefore the present invention is not limited to a 
10 method of branding based only on user specific 

information. Thus, as used herein the term user 
specific information also refers to entity specific 
information. A human user is just an example of one 
type of entity. 

15 In the drawings and specification, there have been 

disclosed typical preferred embodiments of the 
invention and, although specific terms are employed, 
they are used in a generic and descriptive sense only 
and not for purposes of limitation, the scope of the 

20 invention being set forth in the following claims. 
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THAT WHJCH IS CLAIMED IS: 

/i. A method of generating RSA cryptographic 
values, the method comprising the steps of: 

obtaining entity specific information (B) about a 

user; 

obtaining a first secret seed value (W p ) and a 
second secret seed value (W q ) ; 

obtaining a third, publicly known, randomization 
value (IV) having a first portion (IV p ) and a second 
portion ( IV q ) ; 

dividing a potential range of RSA encryption 
values into a first interval and a second interval; 

generating a first initial value (XX p ) based on the 
first secret seed value (W p ) , the second secret seed 
value (W q ) and the first portion of the third 
randomization value (IV p ) ; 

mapping the first initial value to an entity 
specific segment of the first interval utilizing the 
obtained entity specific information (B) to provide a 
mapped first initial value (X p ) ; 

selecting a first entity dependent RSA 
cryptographic value (p) from the entity specific 
segment of the first interval utilizing the mapped 
first initial value as a starting point for a search 
for the first entity dependent RSA cryptographic value; 

generating a second initial value (XX q ) based on 
the first entity dependent RSA cryptographic value (p) , 
the second secret seed value (W q ) and the first portion 
of the third randomization value (IV q ); 

mapping the second initial value to a entity 
specific segment of the second interval utilizing the 
obtained entity specific information to provide a 
mapped second initial value (X q ) ; and 

selecting a second entity dependent RSA 
cryptographic value (q) from the entity specific 
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35 segment of the second interval utilizing the mapped 

second initial value as a starting point for a search 
for the second entity dependent RSA cryptographic 
value . 

2. A method according to Claim 1, further 
comprising the step of generating auxiliary prime 
divisors corresponding to the first entity dependent 
RSA cryptographic value (p) and the second entity 

5 dependent RSA cryptographic value (q) . 

3. A method according to Claim 2, wherein the 
auxiliary prime divisors are generated based upon the 
first secret seed value (W p ) , the second secret seed 
value (W q ) and the third randomization value (IV). 

4. A method according to Claim 3, wherein p 0 is a 
publicly known prime number whose length is at least n 
bits and g is a public generator, and wherein the step 
of generating auxiliary prime divisors comprises the 

5 steps of: 

concatenating the first secret seed value (W p ) , the 
second secret seed value (W q ) and the third 
randomization value (IV) so as to provide an exponent 
value (X) ; 

10 determining an initial random value by determining 

Y=g* (modp 0 ) ; 

selecting initial prime search values from the 
initial random value; 

setting the most significant bit of the initial 
15 prime search values to "1" to provide final prime 
search values; and 

selecting as the prime divisors the smallest prime 
value greater than or equal to the final prime search 
values . 



RSW9-99-055 



-36- 



5. A method according to Claim 4, further 
comprising the steps of: 

selecting at least one of a new first secret seed 
value (W p ) , a new second secret seed value (W q ) and a 
5 new third randomization value (IV) if the length of at 
least one of the prime divisors is greater than the 
length of the final prime search values; and 

re-generating the prime divisors if the length of 
at least one of the prime divisors is greater than the 
10 length of the final prime search values. 

6. A method according to Claim 4, wherein the 
initial prime search values have a first length if a 
public encryption exponent (e) has an odd value and a 
second length of the public encryption exponent (e) has 

5 an even value . 

7. A method according to Claim 5, wherein the 
first length is 120 bits and the second length is 118 
bits. 

8. A method according to Claim 1, wherein the 
entity specific segments comprise the segments [A+(B(C- 
A) ) /2 b , A+UB+l) (C-A))/2 b ] wherein A and C are the 
endpoints of the respective intervals and the entity 

5 specific information comprises b bits. 

9. A method according to Claim 8, wherein the 
RSA cryptographic values comprise n bits and wherein 
the first interval comprises RSA cryptographic values 
from the set of [V~2 ( 2"' 1 ) , 2 n - 1 + 2 n ~ 3/2 ] and the second 

5 interval comprises RSA cryptographic values from the 
set of [2 n - 1 +2 n ~ 3/2 ,2 n ] . 
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10. A method according to Claim 9, wherein the 
binary size of the RSA cryptographic values are 2n, a 
size m is n-b-2 and wherein the step of mapping the 
first initial value comprises the steps of: 

5 linearly mapping the first initial value to a 

entity specific segment of the first interval utilizing 
the obtained entity specific information (B) utilizing 
the linear mapping function 

G, n (x) =4 (1-— ) x+J22 n ~ x + 4 (1-— ) (B-l) 2 m ~ 1 ; and 

10 selecting as the mapped first initial value (X p ) 

the integer value which is not greater than the first 
initial value (XX P ) mapped utilizing the mapping function 
G lrU ; and 

wherein the step of mapping the second initial 
15 value comprises the step of linearly mapping the second 
initial value to a entity specific segment of the 
second interval utilizing the obtained entity specific 
information (B) utilizing the linear mapping 

function G 9 ix) =4 (1- — ) x+2^ 1 + 2 n ~ 3/2 + 4 (1-— ) (B-l)2 m ~ 1 ; 

J2 J2 

20 selecting as the mapped second initial value (X q ) 

the integer value which is not greater than the second 
initial value (XX q ) mapped utilizing the mapping function 
G 2iU . 

11. A method according to Claim 1, wherein the 
entity specific information is biometric information. 

12. A method according to Claim 1, wherein the 
entity specific information is a globally unique user 
identification . 
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13. A method according to Claim 1, further 
comprising the steps of: 

determining if a candidate for p is considered 
outside the range of RSA cryptographic values in the 
5 entity specific segment of the first interval; 

selecting at least one of a new first secret seed 
value (W p ) , a new second secret seed value (W q ) and a 
new third randomization value (IV) if a candidate for p 
is considered outside the range of RSA cryptographic 
10 values in the entity specific segment of the first 
interval ; 

determining if a candidate for g is considered 
outside the range of RSA cryptographic values in the 
entity specific segment of the second interval; 

15 selecting at least one of a new first secret seed 

value (W p ) , a new second secret seed value (W q ) and a 
new third randomization value (IV) if a candidate for q 
is considered outside the range of RSA cryptographic 
values in the entity specific segment of the second 

20 interval; and 

restarting the cryptographic value generation 
utilizing the first and second secret seed values and 
third randomization value if either a candidate for p 
is considered outside the range of RSA cryptographic 

25 values in the entity specific segment of the first 

interval or if a candidate for q is considered outside 
the range of RSA cryptographic values in the entity 
specific segment of the second interval. 

14. A method according to Claim 1 further 
comprising the steps of: 

determining if 2 16 -1 candidates for p have been 
rejected in selecting the first entity dependent RSA 
5 cryptographic value; 
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selecting at least one of a new first secret seed 
value (W p ) , a new second secret seed value (W q ) and a 
new third randomization value (IV) if 2 16 -1 candidates 
for p have been rejected in selecting the first entity 
dependent RSA cryptographic value; 

determining if 2 16 -1 candidates for q have been 
rejected in selecting the second entity dependent RSA 
cryptographic valuer- 
selecting at least one of a new first secret seed 
value (W p ) , a new second secret seed value (W q ) and a 
new third randomization value (IV) if 2 16 -1 candidates 
for q have been rejected in selecting the second entity 
dependent RSA cryptographic value; and 

restarting the cryptographic generation utilizing 
the first and second secret seed values and third 
randomization value if either 2 16 -1 candidates for p 
have been rejected in selecting the first entity 
dependent RSA cryptographic value or if 2 16 -1 candidates 
for q have been rejected in selecting the second entity 
dependent RSA cryptographic value. 

15. A method according to Claim 1, wherein the 
step of generating a first initial value comprises the 
steps of: 

mixing a concatenation of W q and IV q utilizing a 
publicly known mixing function; 

concatenating W p and IV p ; and 

EXCLUSIVE-ORing the mixed concatenation of W q and 
IV q and the concatenation W p and IV p to provide the 
first initial value (XX p ) ; and 

wherein the step of generating a second initial 
value comprises the steps of: 

EXCLUSIVE ORing p and IV p ; 

mixing the EXCLUSIVE OR of p and IV p utilizing the 
publicly known mixing function; 
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concatenating W q and IV q ; and 

EXCLUSIVE-ORing the mixed EXCLUSIVE OR of p and IV p 
and the concatenation of W q and IV q to provide the 
second initial value (XX q ) . 

16. A method according to Claim 1, further 
comprising the step of authenticating generated 
candidate RSA cryptographic values. 

17. A method according to Claim 16, wherein the 
step of authenticating comprises the steps of: 

recovering two candidate prime values utilizing 
the RSA public modulus (N) and the private signature 
exponent (d) ; 

establishing a first of the two prime values as a 
first candidate cryptographic value (p') and the second 
of the two prime values as a second candidate 
cryptographic value (q'); 

recovering first and second candidate seed values 
W p ' and W q ' from the first and second candidate 
cryptographic values p' and q' and from the third 
publicly known seed value IV; 

generating first and second RSA cryptographic 
values p' ' and q' ' utilizing W p ' and W q ' and IV; and 

comparing p* and p' ' and q' and q' ' to 
authenticate the RSA cryptographic values. 

18. A method according to Claim 17, further 
comprising the step of determining that the RSA 
cryptographic values are not authentic if p' and q' are 
values outside the entity defined segments of the first 
and second intervals. 



19. A method according to Claim 17, wherein the 
first of the two prime numbers is a smaller of the two 
prime numbers . 



20. A method according to Claim 17, wherein the 
step of recovering first and second candidate seed 
values W p ' and W q T from the first and second candidate 
cryptographic values p' and q' and from the third 
5 publicly known seed value IV comprises the steps of: 

inverse mapping the second candidate value q' to 
provide a first initial value S q ; 

EXCLUSIVE ORing the first candidate cryptographic 
value p 1 and IV p ; 
10 mixing the EXCLUSIVE OR of the first candidate 

cryptographic value p' and IV p with the publicly known 
mixing function; 

EXCLUSIVE ORing the mixed EXCLUSIVE OR of the 
first candidate cryptographic value p' and IV p with IV q 
15 to provide a first known value (N q ) having a length (j); 

determining if a value corresponding to the j 
least significant bits of S q is less than the first 
known value N q ; 

EXCLUSIVE ORing the n-j most significant bits of 
20 the mixed concatenation of the first candidate 
cryptographic value p' and IV p with the n-j most 
significant bits of S q if the value corresponding to the 
j least significant bits of the first subsequent value 
is not less than the first known value N q , to provide 
25 the second candidate seed value; 

EXCLUSIVE ORing the n-j most significant bits of 
the mixed concatenation of the first candidate 
cryptographic value p' and IV p with 1 subtracted from 
the value corresponding to the n-j most significant 
30 bits of S q if the value corresponding to the j least 

significant bits of the first subsequent value is less 
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than the first known value N q , to provide the second 
candidate seed value; 

inverse mapping the first candidate value p' to 
35 provide a second initial value S p ; 

concatenating the second candidate seed value and 

iv q ; 

mixing the concatenation of the second candidate 
seed value and IV q with the publicly known mixing 
40 function; 

EXCLUSIVE ORing the mixed concatenation of the 
second candidate seed value and IV q with IV P to provide 
a second known value N p having a length (j); 

determining if a value corresponding to the j 
45 least significant bits of S p is less than the second 
known value N p ; 

EXCLUSIVE ORing the n-j most significant bits of 
the mixed concatentation of the second candidate seed 
value and IV q with the n-j most significant bits of S p 
50 if value corresponding to the j least significant bits 
of the second subsequent value is not less than the 
second known value N p , to provide the first candidate 
seed value; 

EXCLUSIVE ORing the n-j most significant bits of 
55 the mixed concatenation of the second candidate seed 
value and IV q with 1 subtracted from the value 
corresponding to the n-j most significant bits of S p if 
the value corresponding to the j least significant bits 
of the second subsequent value is less than the second 
60 known value N p , to provide the first candidate seed 
value . 

21. A method according to Claim 20, wherein j is 
256 bits. 
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2*2. A system for generating an RSA cryptographic 
va^Se, utilizing entity specific information (B) about 
an entity, a first secret seed value (W p ) and a second 
secret seed value (W q ) , and a third, publicly known, 
randomization value (IV) having a first portion (IV p ) 
and a second portion (IV q ), comprising: 

means for dividing a potential range of RSA 
encryption values into a first interval and a second 
interval; 

means for generating a first initial value (XX p ) 
based on the first secret seed value (W p ) , the second 
secret seed value (W q ) and the first portion of the 
third randomization value (IV p ) ; 

means for mapping the first initial value to a 
entity specific segment of the first interval utilizing 
the obtained entity specific information (B) to provide 
a mapped first initial value (X p ) ; 

means for selecting a first entity dependent RSA 
cryptographic value (p) from the entity specific 
segment of the first interval utilizing the mapped 
first initial value as a starting point for a search 
for the first entity dependent RSA cryptographic value; 

means for generating a second initial value (XX q ) 
based on the first entity dependent RSA cryptographic 
value (p) , the second secret seed value (W q ) and the 
first portion of the third randomization value (IV q ) ; 

means for mapping the second initial value to a 
entity specific segment of the second interval 
utilizing the obtained entity specific information to 
provide a mapped second initial value (X q ) ; and 

means for selecting a second entity dependent RSA 
cryptographic value (q) from the entity specific 
segment of the second interval utilizing the mapped 
second initial value as a starting point for a search 
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35 for the second entity dependent RSA cryptographic 
value . 

23. A system according to Claim 22, further 
comprising means for authenticating generated candidate 
RSA cryptographic values. 

24. A system according to Claim 23, wherein the 
means for authenticating comprises: 

means for recovering two candidate prime values 
utilizing the RSA public modulus (n) and the private 
5 signature exponent (d) of the encrypted message ; 

means for establishing a first of the two prime 
values as a first candidate cryptographic value (p') 
and the second of the two prime values as a second 
candidate cryptographic value (q'); 
10 means for recovering first and second candidate 

seed values W p ' and W q ' from the first and second 
candidate cryptographic values p' and q 1 and from the 
third publicly known seed value IV; 

means for generating first and second RSA 
15 cryptographic values p'' and q' ' utilizing W p ' and W q ' 
and IV; and 

means for comparing p 1 and p' ' and q' and q' ' to 
authenticate the message. 

Zgf. A computer program product for generating an 
RSA /Cryptographic value, utilizing entity specific 
information (B) about an entity, a first secret seed 
value (W p ) and a second secret seed value (W q ) , and a 
5 third, publicly known, randomization value (IV) having 
a first portion (IV P ) and a second portion (IV q ) , 
comprising : 
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a computer readable storage medium having computer 
readable program code embodied in said medium, said 
10 computer readable program code comprising: 

computer readable code which divides a potential 
range of RSA encryption values into a first interval 
and a second interval; 

computer readable code which generates a first 
15 initial value (XX p ) based on the first secret seed value 
(W p ) , the second secret seed value (W q ) and the first 
portion of the third randomization value (IV P ) ; 

computer readable code which maps the first 
initial value to a entity specific segment of the first 
20 interval utilizing the obtained entity specific 

information (B) to provide a mapped first initial value 

(Xp) ; 

computer readable code which selects a first 
entity dependent RSA cryptographic value (p) from the 
25 entity specific segment of the first interval utilizing 
the mapped first initial value as a starting point for 
a search for the first entity dependent RSA 
cryptographic value; 

computer readable code which generates a second 
30 initial value (XX q ) based on the first entity dependent 
RSA cryptographic value (p) , the second secret seed 
value (W q ) and the first portion of the third 
randomization value (IV q ) ; 

computer readable code which maps the second 
35 initial value to a entity specific segment of the 

second interval utilizing the obtained entity specific 
information to provide a mapped second initial value 
(X q ) ; and 

computer readable code which selects a second 
40 entity dependent RSA cryptographic value (q) from the 
entity specific segment of the second interval 
utilizing the mapped second initial value as a starting 
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point for a search for the second entity dependent RSA 
cryptographic value. 

26. A computer program product according to Claim 

25, further comprising computer readable code which 
authenticates generated candidate RSA cryptographic 
values . 

27. A computer program product according to Claim 

26, wherein the computer readable code which 
authenticates comprises: 

computer readable code which recovers two 
5 candidate prime values utilizing the RSA public modulus 
(n) and the private signature exponent (d) of the 
encrypted message; 

computer readable code which establishes a first 
of the two prime values as a first candidate 
10 cryptographic value (p') and the second of the two 

prime values as a second candidate cryptographic value 
(q'); 

computer readable code which recovers first and 
second candidate seed values W p ' and W q ' from the first 
15 and second candidate cryptographic values p' and q' and 
from the third publicly known seed value IV; 

computer readable code which generates first and 
second RSA cryptographic values p 1 ' and q' ' utilizing 
W p ' and W q ' and IV; and 
20 computer readable code which compares p' and p'' 

and q' and q'' to authenticate the message. 
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METHODS, SYSTEMS AND COMPUTER PROGRAM PRODUCTS FOR 
GENERATING USER-DEPENDENT RSA VALUES WITHOUT STORING 
SEEDS 

Abstract of the Disclosure 

Methods, systems and computer program products are 
provided which allow for generation and authentication 
of RSA encrypted values by utilizing a combination of 
5 entity specific information such as biometric 

information and by incorporating information about the 
secret seeds into the cryptographic values p and q 
utilized to encrypt the information. Thus, 
authentication of an encrypted message may be achieved 
10 without requiring storage of the secret seed values 
utilized to generate the cryptographic values. 
Furthermore the present invention assures that users 
with different entity specific information utilize 
different p and q values. 
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